[31455] in Kerberos
kpasswd changes password successfully but also complains about kdc
daemon@ATHENA.MIT.EDU (Jan Sanders)
Wed Sep 9 08:28:50 2009
X-Barracuda-Envelope-From: jsanders@TechFak.Uni-Bielefeld.DE
Message-ID: <4AA79F57.4010005@TechFak.Uni-Bielefeld.DE>
Date: Wed, 09 Sep 2009 14:28:07 +0200
From: Jan Sanders <jsanders@TechFak.Uni-Bielefeld.DE>
MIME-Version: 1.0
To: Kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello List,
on my client machine I can get kerberos tickets for my principal using
the correct principalname-password combination. I can also use kadmin on
the client machine providing the correct principalname-password
combination for an admin principal. Changing the password for a
principal is no problem using kadmin.
But then I trzy to use kpasswd on the client machine. I provide kpasswd
with correct the principalname-password combination and twiche state
what the new password should be and then I wait for a couple of seconds
before kpasswd returns.
On returning it complains: Cannot contact any KDC for requested realm
But it also changed the password. After invoking kpasswd and observing
the above stated behaviour I have to provide the new password to obtain
a ticket.
Even though kpasswd works as advertised (changes the password) it will
cause some trouble telling users that the error message can safely be
ignored (if it can!!).
Using strace I could see some timeouts of select syscalls.
kpasswd obtained a file descriptor for an IP connection, connects to the
KDC and successfully sends 490 byte of data.
Then kpasswd uses the select syscall to monitor the filedescriptor which
times out twice.
kpasswd resends the 490 bytes and again waits for two select syscalls to
time out.
Then again and finally returns with the "Cannot contact any KDC for
requested realm" complaint.
strace was invoked like this:
#strace -o /tmp/kpasswd.strace -s 512 -f kpasswd testprinc
What strikes me is the invocation of the select syscall. According to
the select specification the first parameter of the syscall is the
number of monitored file descriptors + 1. The select calls as used here
only monitor 2 file descriptors (better: one filedescriptor is monitored
twice). The number of file descriptors is set to 5. I do not know how
select behaves when invoked like that and it seems not to be specified.
The (slightly sanitized) output of strace starting from the socket
request for connecting to the KDC:
8006 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
8006 connect(4, {sa_family=AF_INET, sin_port=htons(464),
sin_addr=inet_addr("[IP of KDC]")}, 16) = 0
8006 getsockname(4, {sa_family=AF_INET, sin_port=htons(35498),
sin_addr=inet_addr("[IP of self, aka client machine]")}, [16]) = 0
8006 send(4, "[snipped 490 bytes]"..., 490, 0) = 490
8006 gettimeofday({1252498115, 459404}, NULL) = 0
8006 gettimeofday({1252498115, 459444}, NULL) = 0
8006 select(5, [4], [], [4], {0, 999960}) = 0 (Timeout)
8006 gettimeofday({1252498116, 457725}, NULL) = 0
8006 gettimeofday({1252498116, 457765}, NULL) = 0
8006 select(5, [4], [], [4], {2, 1639}) = 0 (Timeout)
8006 send(4, "[snipped 490 bytes]"..., 490, 0) = 490
8006 gettimeofday({1252498118, 462172}, NULL) = 0
8006 gettimeofday({1252498118, 462214}, NULL) = 0
8006 select(5, [4], [], [4], {0, 999958}) = 0 (Timeout)
8006 gettimeofday({1252498119, 461724}, NULL) = 0
8006 gettimeofday({1252498119, 461763}, NULL) = 0
8006 select(5, [4], [], [4], {4, 409}) = 0 (Timeout)
8006 send(4, "[snipped 490 bytes]"..., 490, 0) = 490
8006 gettimeofday({1252498123, 466171}, NULL) = 0
8006 gettimeofday({1252498123, 466213}, NULL) = 0
8006 select(5, [4], [], [4], {0, 999958}) = 0 (Timeout)
8006 gettimeofday({1252498124, 465728}, NULL) = 0
8006 gettimeofday({1252498124, 465767}, NULL) = 0
8006 select(5, [4], [], [4], {8, 404}) = 0 (Timeout)
8006 close(4) = 0
8006 write(2, "kpasswd", 7) = 7
8006 write(2, ": ", 2) = 2
8006 write(2, "Cannot contact any KDC for requested realm", 42) = 42
8006 write(2, " ", 1) = 1
8006 write(2, "changing password", 17) = 17
8006 write(2, "\r\n", 2) = 2
8006 exit_group(1) = ?
End of strace output.
I hope all this is helpful for finding the cause of the "Cannot contact
..." error.
cheers
Jan Sanders
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
